I have a question regarding IP Spoofing and authentication. I have an OpenVPN server in TUN mode with many untrusted clients in the same VPN network, and I was wondering if one client is able to spoof its VPN IP Address so that it can appear to the server like another client. Is there any way to prevent it?
I was thinking maybe if: 1) I assign static IP addresses to the clients then 2) Save the mapping IP address-TLS certificate for each client then 3) I can verify for each incoming packet to the server, the source IP address and the fingerprint (or Common Name) of the TLS connection that sent that packet and see if they match.
Is it possible and if yes, how?
I was reading that with tls-verify, I can verify that the client with certificate A belongs to 10.8.0.4 for example when the client connects to the OpenVPN server, but am I sure that all the packets with source IP address 10.8.0.4 belong to the client with certificate A? Basically I want to identify clients based on their IP address. Is there any script to verify this?
Thank you a lot for your attention. I hope I have been clear enough.